For the third consecutive year, the number of highly significant cyber attacks on British businesses has increased. At the same time, intelligence reports and think tank research additionally flag how simultaneous geopolitical, technological and economic threats are coalescing into a dense matrix of interconnected issues that represent the most unstable period since the Second World War.
Against this backdrop, business leaders of all stripes need urgently to move beyond prevention to ensure they can respond, recover and adapt when their operations face disruption. By embedding resilience as a core board priority, CEOs, CTOs and COOs can safeguard continuity, protect stakeholder trust and secure the foundations for future growth.
“The time to act is now... you must have a plan for continuity. You must know how to keep going should an attack get through. Because when an attack does break through it is the strength of these pre-engineered solutions that determines an organisation’s ability to endure, respond, rebuild, survive.”
Dr Richard Horne, Chief Executive of the National Cyber Security Centre
The UK government has made its position clear. It’s written to FTSE350 Board Chairs asking them to make cyber resilience a top priority. The increasing sophistication and frequency of hostile cyber activity means it is now a threat to the economic and national security of the UK. Crucially, the government sees CEOs and business leaders as the ones who must lead the response within organisations – it is not the sole purview of CISOs. As Security Minister Dan Jarvis noted in his speech “Everyone Has a Role to Play in Building Our National Resilience”:
“The UK’s approach is about every single part of our society working together - ensuring that we can meet the security challenges of today - and we remain more than resilient to tackle the challenges of the future.”
This alignment between government and business underscores that resilience is not just a technical or organisational issue, but a shared national endeavour that requires commitment at every level of leadership.
While prevention remains critical, attackers are increasingly able to bypass even well-resourced controls, so operational resilience, effective response and recovery at pace are now as vital as prevention. For some, this will have traditionally been viewed as a technical issue and the responsibility of IT. But the impacts of disruptions of this nature have extended well beyond systems and processes, affecting reputation, market integrity and customer trust.
Defining your Minimum Viable Company (MVC)
To prepare for future disruption, organisations must adopt the concept of the Minimum Viable Company (MVC). Defining your Minimum Viable Company means identifying the essential services, processes and functions that must remain operational to keep the organisation financially, operationally and strategically viable in a crisis.
Delivering the MVC involves:
- Developing and testing manual workarounds to validate what is described within Business Continuity plans.
- An ability to recover critical IT and data required to sustain those elements of the MVC which cannot be delivered manually. This will include both user-facing platforms, and core underlying ‘Tier 0’ infrastructure.
- Identifying which elements of the supply chain are critical to sustaining the MVC including understanding which suppliers, logistics partners and distribution channels are absolutely essential to maintaining minimal service levels and cash flow.
Once the MVC is re-established in a crisis, the focus shifts to rebuilding sustainable operations – restoring full functionality – rebuilding the underpinning technology, recovering the rest of the business, and returning to profitability.
When the MVC isn’t understood and agreed in advance, crisis response becomes fragmented, and the recovery slows, risking long-term viability. In contrast, organisations that plan, test and embed their MVC respond faster, adapt better and gain competitive advantage.
Your weaknesses and strengths can be found in your dependencies
Every organisation relies on a complex web of technology, people, suppliers, data and physical assets. These interdependencies can either be a source of strength or a point of failure. Mapping these connections provides a holistic view of where your business is robust and where it’s vulnerable. This insight enables leadership teams to identify critical weaknesses, strengthen operational continuity and prevent minor issues from escalating into crises.
The time to act is now
Business leaders know that disruptions are no longer a possibility for the unlucky, but an assured reality. Organisations that actively define and internalise their MVC are not only allowing themselves to respond swiftly to any disruption, but also to recover faster and stronger in its wake.
Acting now enables businesses to ensure continuity, preserve market integrity, and protect customer trust, highlighting the vital role CEOs CTOs and COOs play in spearheading resilience initiatives for sustained, robust growth. Businesses play a vital role in building resilience across society, managing the supply chains, services and infrastructure people depend on. In short, the positive impact of taking decisive action extends far beyond an organisation.
There are five immediate actions organisations need to take now:
1. Establish governance and define your Minimum Viable Company – establish a governance structure to oversee cyber response and recovery capabilities as part of wider operational resilience. Map the critical parts of your business and your minimum viable IT that absolutely needs to keep running when everything else is under pressure. This should include your critical external and internal services. Scrutinise your key suppliers, systems, and teams to see where things could break and what you rely on most.
Develop and test a clear “Invoke and Contain” plan - agree activation triggers, leadership responsibilities, containment actions, and predefined escalation routes to enable rapid, decisive response when an incident occurs.
Test your crisis management and crisis communications – for those who do not have a capability now is the time to put this in place; those with existing structures must test this end-to-end including the business continuity and technical recovery capability.
Review and build your business continuity (BC) capability – even those with a BC capability, review it. Are you confident it is fit for purpose in the event of a total loss of IT scenario? Determine the plans that are necessary to maintain and recover your MVC when a critical loss of platform occurs. Review and update the business continuity documentation to ensure your organisation is prepared to revert to manual processes.
Mature your technology resilience and recovery capabilities – develop technology resilience by ensuring your technology assets on which critical processes depend are fully understood and mapped, including foundational, or tier ‘0’ infrastructure. Recovering from a destructive cyber incident requires specific cyber recovery capabilities such as immutable backups of data, and large scale technology recovery tools and rebuild capabilities.
Resilience isn’t just about surviving the next shock – it’s about building the confidence to thrive through it.
The organisations that act now will not only endure disruption but emerge from it stronger, more agile, and better prepared for what comes next.
Find out more about how we are helping organisations ensure continuity through crisis
Contact us
Crisis and resilience Partner, PwC United Kingdom
Tel: +44 (0)7483 422701
Cyber Security Partner and Cyber Business Leader, PwC United Kingdom
Tel: +44 (0)7808 028337
